Beyond Passwords

From door-latches to iris-scans, the art of blocking people has gone a long way. And it’s still going.

In the beginning, people didn’t have passwords. They could just go wherever they wanted to, unless someone else stopped them.

But how would they know whom to stop and whom to let through? Small groups were easy. If it was a person’s family, then they could all be recognised easily. But if the group was a large one, like a secret society, then the problem was much harder. It was hard to recognise everyone, especially if they were specifically dressed so as not to be recognised.

That’s possibly when people started using passwords: a secret word that only members of the group knew, and which they would have to say to be allowed in.

Passwords weren’t just used for secret societies. They could also be used by royal servants to be let in by the palace guards, or even by residents while entering a heavily guarded village or city.

Sometimes, the passwords weren’t really words. They could be random words, like ‘cauliflower’, but they could also be phrases like “The dogs bark and the camels pass”. Sometimes a new one would be decided for every meeting, and sometimes it would be a fixed phrase that people always used before passing through. The main point was that only authorised people would know what to say when asked for the ‘password’.

Meanwhile, people also had another problem. They had taken to staying in the same place instead of moving around to wherever the food was. They had started growing the food themselves. They started collecting that food, as well as the tools used to make it, and keeping them in a special place where they could get to it whenever they needed to.

And because they had done all the work of collecting it, they didn’t want anyone else to come and take it away from them.

That was easy enough when someone was there to guard the stuff. But what if they were all busy with other work? What if they were out collecting more food, or taking it from other people who hadn’t protected theirs well enough? The problem was of how to guard things when there wasn’t anyone there to guard them.

Squirrels and chipmunks came up with one solution. They would hide away their food in a special place that nobody else knew about. That’s kind of like a password. It’s just that, instead of knowing what to say, you need to know where to look.

The only flaw was that, while, looking, you didn’t have to get it right first time. If you tried to gatecrash into a secret meeting and got the password wrong a few times, you would get thrown out. But if you looked in the wrong place for a stash of nuts, all you’d have to do would be to keep on looking.

And some people had all the time in the world to look.

So instead of worrying about where to look, humans decided to worry about how to lock. The earliest known lock was made in Egypt, over six thousand years ago. It was what is known as a ‘pin tumbler lock’. It was basically a hollow wooden rod, inside a box on the door, with wooden pegs sticking into it.

The rod was inside a hole where it could slide back and forth like a latch — except it couldn’t, because the pegs were in the way. The pegs would hold the rod in place, and not let it go free.

So how would the rod be moved? The key to the problem was, well, a key. A wooden stick with bumps sticking up in just the right places to lift the pegs.

The key would go inside the hollow rod, and then be lifted up to raise the pegs and let the rod go free.

So now, only the person who had the key could open the door. It was kind of like a password, except that you had to hold it instead of saying it.

Over the years, humans started to make more advanced locks, and then more advanced other things like calculators and computers.

In the beginning, a computer was just an advanced calculator. Instead of punching buttons to give instructions, you could punch out holes in cards using a special typewriter. The holes were a bit like alphabets, except that only computers could read them. And computer experts, of course.

Because of the way they were used, computers were just another tool — albeit a very expensive one. They were only used in large places like universities.

Early computers would be kept locked up so that people didn’t steal parts of them. Special operators would take in the punch-card instructions, and feed them into the computer. The results would then be printed out and sent back to whoever asked for them, without them looking at the computer at all.

Then, computers became more advanced. Instead of using punch-cards, instructions could be typed directly into the computer. Instead of using printouts, the computer would project the answer directly onto an attached screen. Computers never quite forgot their old ways, though. That’s why, in many programming languages, the command for writing stuff on the screen is still called print.

Computers were still big things. One computer would have many ‘terminals’ — sets of keyboard and screen — attached to it. People could come and work at those terminals, unless, of course, if other people already using them. By now, people could store all their work right on the computer itself. The only issue was that everyone’s files would be all on the same computer, and it would get very messy and confusing.

That’s why people started having ‘accounts’.

The ‘accounts’ idea worked like this: before they started using a terminal, people would type in their name. That terminal would then be counted as ‘logged in’ to their account, which means that only that person’s files and data would appear on that particular terminal.

Unfortunately, there was nothing preventing a person from typing in someone else’s name and accessing their account instead.

To solve that problem, the Massachusetts Institute of Technology (MIT) developed a system for their computer that used — you guessed it — passwords.

MIT had just set up a new computer, the Compatible Time-Sharing System, or CTSS, that allowed users to log in whenever they needed, but for a limited amount of time per day. The password system was to prevent people from entering someone else’s account and using up their time instead. So every person had a secret ‘password’, that had to be typed in along with their username to use the account.

This ‘password’ system worked the same way as other passwords, except that a computer took the place of the guard at the city gates.

Just a year after the password system was set up, it experienced its first break-in. The CTSS had a system where you could ask for any file to be printed out, by submitting a punch-card with the file name. So, one Friday night in 1962, PhD researcher Allan Scherr requested a printout of the file where the passwords were stored. His research needed more computer-time than the four hours he was allowed, so he decided to try using other peoples’ computer-time as well.

On Saturday morning, Scherr made an early visit to the computer lab, and collected his neatly printed list of all the users of the computer, along with their passwords! He also distributed the list to some of his fellow users, to “spread the guilt around”.

Nowadays, stealing passwords is not so simple. Computers have better protections to prevent the list from getting out. But sometimes, the list can still get out — revealing everyone’s passwords.

That’s why people invented a new way of storing passwords, called ‘hashing’. Hashing involves making a calculation that’s easier to do than to un-do. A bit like how it’s easier to find out the square of 14 than the square root of 196. Of course, the actual calculations used are much more complicated.

The main point is that you take a password like ‘cabbages’ and run it through a ‘hashing algorithm’, which produces a jumble of letters like pbkdf2:sha1:1000$HJDAILiA$50576590b236eb3534ce15b752b8e9289081d598 called a ‘hash’. That hash is what is stored instead of the actual password.

Next time someone tries to log in, you take the password they type and pass it through the same hashing algorithm. If the new hash matches the one in the list, it means the password was also correct. That way, you can check peoples’ passwords without knowing what their password actually is.

Why does that help? Because then, if a hacker manages to break into a user database, they won’t get any passwords. All they’ll get is a list of hashes.

Which would be practically useless. You can’t figure out the password from a hash, even if you know the hashing function. Why not? Because the hashing function uses calculations that are to hard to do in reverse. So hard that even the most powerful computers would take centuries to work it out, by which time the users would already be long gone — and besides, they’d have probably updated their passwords. A hacker would be better of just guessing the password.

As it turns out, guessing is a pretty effective method.

The word ‘password’ is one of the most common computer passwords. Among others are ‘qwerty’, ‘12345’, ‘baseball’ and ‘iloveyou’. Many people use very simple passwords that are easy to remember. Unfortunately, a password that’s easy to remember is also easy to guess.

An estimated 90% of online accounts use one of the top 10,000 passwords. And 10,000 is practically nothing for a computer to guess through.

But people have a point. With hundreds of different websites and services to sign in to, passwords get a bit too many to remember. Even if you know what they are, you’ll forget which website they’re used for.

There have been many attempts to solve this problem. Some people use ‘password managers’ that type in their passwords for them. Others let their browsers remember the password, and simply click the “Forgot Password” link every time they sign in from a new place. (In fact, “Forgot Password” is clicked so often that some websites like Medium don’t even use passwords. They email you a one-time “sign in now” link in place“reset password” one.)

And there’s a much simpler method you can start using right away: passphrases. A passphrase is basically a password which is a sentence instead of a word. Just like “The dogs bark and the camels pass” from the olden days. But because a phrase has so many more letters, it’s much harder to guess than a single word — unless it’s a very common phrase, of course.

Occasionally, people just do away with passwords altogether. They follow the squirrel, and hide things where people won’t find them. Have you seen websites which let you make “unlisted” photo-albums or blog-posts visible to “anyone with the link”? These photos and posts don’t show up in search-engines. Anyone who types in the correct web address can see them — but most people wouldn’t know the correct web address.

This type of hiding is called ‘security by obscurity’. People can’t spy on something because they don’t even know it exists.

On the Internet, this method of security by obscurity isn’t all that different from ordinary passwords. The only difference is that you type one in the password-box and the other in the address-bar.

However, that difference is actually a big one. If it’s a password-box, programs know there’s a password inside. Your browser will take special care to hide it. But if it’s just a web address that you’re keeping secret, the computer won’t know that. All it takes is someone looking at your browser history — and there goes your precious top-secret blog-post.

A leaked blog post is usually not that bad. But people try the squirrel’s method on more sensitive documents as well.

In one of his articles, software engineer Kiran Jonnalagadda recalls working for a government agency that allows printing out of land records. In the process, Jonnalagadda’s company needed access to some data from the government: information about who was printing the land-records, and from where they did it. Eventually, an arrangement was worked out: the data would come every day, inside a public web folder. Everyone was to keep quiet about that folder, and make sure nobody else found out.

The folder also contained similar data for other government agencies. Data that Jonnalagadda’s team were not supposed to look at. And for some reason that he never quite figured out, it was named BESCOMLogs after the Bangalore Electricity Supply Company.

So in this case, sensitive government data was technically visible to anyone who knew about it, or even to those who stumbled upon it by mistake!

A better idea is to keep folders secret and password-protect them. That way, the information is sealed properly under two layers of security. It’s a bit like having to guess a squirrel’s password even after you’ve found out where it keeps its stash of nuts.

Keeping track of passwords is not easy. Having one password for all your websites is a bad idea: if one of the websites is hacked, the password can be used to access your other accounts as well.

Even Facebook creator Mark Zuckerberg fell for this trap In 2012, social network LinkedIn had its passwords leaked (no, they weren’t printed out). In the process hackers learned that Zuckerberg’s password was set to ‘dadada’. Then, they tried the password on his Twitter account and managed to gain control of that as well.

Wouldn’t it be nice if you could have just one nice, strong password, sign in at one place, and automatically be signed in everywhere else as well?

That’s exactly what OpenID was created for

If you’ve used the “Sign in with Google” or “Log in with GitHub” buttons around the web, you’ve seen OpenID in action. The idea was that you have one account on an ‘OpenID provider’, like GitHub or Google. You log in to that provider the usual way, using a username and password.

The difference was that, after logging in, you could use your OpenID to sign in to other websites as well.

Suppose you want to sign in to, say, Disqus. You go to the Disqus website and say you want to use your (for example) Google account to sign in. So the Disqus server sends a message to the Google server saying, “Hey, somebody wants to sign in.” Google replies with a “Sure, send them to this URL”.

The person is then sent to the Google websites to sign in, after which Google sends the person back to Disqus, saying “This person is signed in now, and here is the username”.

Of course your OpenID provider would ask for you permission first, confirming that you really want to sign in to that website. The latest version, OpenID Connect, makes use of a new system called OAuth. That lets you not just sign in, but also gives additional permission to the website you sign in to — for example, Google can allow them to manage your photos or sort your emails.

While password logins are like security-guards at the gates of the palace, OpenID is like a royal token from the King, allowing you to enter any city in the kingdom. And OAuth is like an escort, allowing workers from the city to come to the palace, but preventing them from doing anything they’re not supposed to.

Of course the OpenID system has a weak spot. If somebody breaks into your main account — if there’s a coup in the palace — then they’ll be able to access all your other accounts as well.

The bottom line is: OpenID is convenient, but make sure you set a very strong password.

Actually, that’s not quite the bottom line. There are a few more lines underneath.

Some companies have taken to using Two-Factor Authentication, or 2FA, for signing in. So when you want to get into your OpenID account, you need to type in not just the password, but also an additional verification code that gets SMSed to your mobile. That means other people can’t break in even if they guess your password: they’ll need to steal your cellphone as well.

2FA is more secure, but it’s also more cumbersome. A quicker method would be fingerprint or iris recognition. Everyone’s finger and iris patterns are unique, so you could just swipe your finger or show your eye, and nobody else could pretend to be you. (In fact, everyone’s ear patterns are also unique. Since many people use smartphones to access the Internet, ear-pattern checks may be more convenient, as people will already be used to holding phones up to their ears).

Of course, the most convenient would be if the computer could just look at your face and recognise who you were — just as people used to do in the days before passwords were invented. That would be a great advance in technology.

Although, in a way, it would also be back to square one.

Have something to say? At Snipette, we encourage questions, comments, corrections and clarifications — even if they are something that can be easily Googled! Or you can simply click the ‘👏 clap’ button, to tell us how much you liked reading this.